25597

Can't apply roles effectively on Sonatype Nexus with Active Directory users

Question:

I'm trying to authenticate users through Active Directory with Sonatype Nexus OSS 2.11.2-06. Following <a href="https://books.sonatype.com/nexus-book/reference/ldap-sect-mapping-active-directory.html" rel="nofollow">https://books.sonatype.com/nexus-book/reference/ldap-sect-mapping-active-directory.html</a> :

<ol><li>I have set up "<em>LDAP Configuration</em>" settings so that "Check Authentication" is successfull and when I click on "<em>Check user mapping</em>" it shows up my Active Directory test users on "<em>User Mapping Test Results</em>" and it shows a list of roles that correspond with the groups to which the users belong to. <strong>Nice</strong>.</li> <li>I have set up those roles with the same privileges that I have already tested with other local test users (users created using the Nexus web interface). <strong>Ok</strong>.</li> <li>When I list the "<em>All Authorized Users</em>" on the "<em>Users</em>" page it shows up my Active Directory test users with the right roles (AD Groups), Realm=LDAP and Status=Active. <strong>Fantastic</strong>.</li> </ol>

But when I try to deploy artifacts with Maven ("mvn deploy") <strong>it fails deploying it</strong>: <strong>ReasonPhrase: Unauthorized</strong>:

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-deploy-plugin:2.7:deploy (default-deploy) on project mvntest: Failed to deploy artifacts: Could not transfer artifact edu.ub.test:mvntest:jar:1.0-20151204.135744-4 from/to repotest00rw (https://xxxxxxx.ub.edu:yyyy/nexus/content/repositories/repotest00): Failed to transfer file: https://xxxxxxx.ub.edu:yyyy/nexus/content/repositories/repotest00/edu/ub/test/mvntest/1.0-SNAPSHOT/mvntest-1.0-20151204.135744-4.jar. Return code is: 401, ReasonPhrase: Unauthorized. -> [Help 1]

If I use one of those local test users (users created using the Nexus web interface) (set on '.m2/settings.xml') with the same roles (as shown on Web UI) I can deploy artifacts without problems.

I have set "<strong>DEBUG</strong>" to all loggers and I can't find anything that can help me, just looks like I'm been dealt as an anonymous user:

2015-12-04 14:49:26,969+0100 DEBUG [qtp-9795081-67] anonymous org.sonatype.sisu.goodies.eventbus.internal.DefaultEventBus - Event 'RepositoryItemEventRetrieve(sender="repotest00" [id=repotest00], repotest00:/edu/ub/test/mvntest/1.0-SNAPSHOT/maven-metadata.xml)' fired 2015-12-04 14:49:26,970+0100 DEBUG [qtp-9795081-67] anonymous org.sonatype.nexus.proxy.maven.maven2.M2Repository - repotest00 retrieveItem() :: FOUND repotest00:/edu/ub/test/mvntest/1.0-SNAPSHOT/maven-metadata.xml 2015-12-04 14:49:26,999+0100 DEBUG [qtp-9795081-58] org.apache.shiro.session.mgt.DefaultSessionManager - Unable to resolve session ID from SessionKey [org.apache.shiro.web.session.mgt.WebSessionKey@601f6170]. Returning null to indicate a session could not be found. 2015-12-04 14:49:27,000+0100 DEBUG [qtp-9795081-58] *UNKNOWN org.sonatype.nexus.content.internal.ContentAuthenticationFilter - No authorization found (header or request parameter) 2015-12-04 14:49:27,000+0100 DEBUG [qtp-9795081-58] *UNKNOWN org.sonatype.nexus.content.internal.ContentAuthenticationFilter - No authorization found (header or request parameter) 2015-12-04 14:49:27,000+0100 DEBUG [qtp-9795081-58] *UNKNOWN org.sonatype.nexus.content.internal.ContentAuthenticationFilter - No authorization found (header or request parameter) 2015-12-04 14:49:27,000+0100 DEBUG [qtp-9795081-58] *UNKNOWN org.sonatype.nexus.content.internal.ContentAuthenticationFilter - Attempting to authenticate Subject as Anonymous request... 2015-12-04 14:49:27,000+0100 DEBUG [qtp-9795081-58] *UNKNOWN org.apache.shiro.realm.AuthenticatingRealm - Looked up AuthenticationInfo [anonymous] from doGetAuthenticationInfo

Can anybody help me?

Thanks a lot!

/Angel

Answer1:

From your description is seems like you have not created an external role mapping. See details at <a href="http://books.sonatype.com/nexus-book/reference/ldap-sect-external-role-mapping-config.html" rel="nofollow">http://books.sonatype.com/nexus-book/reference/ldap-sect-external-role-mapping-config.html</a>

The purpose of this mapping is to match an external (e.g. LDAP) group membership to an Nexus internal, repository management specific role.

You have to map the role of the user that you want to be able to deploy to a Nexus role that has write access to the repository you are targetting.

Answer2:

Oh, thanks to <strong>Sonatype support team</strong> we realized that I missed up the step of <a href="https://books.sonatype.com/nexus-book/reference/ldap-sect-enabling.html" rel="nofollow">8.2. Enabling the LDAP Authentication Realm</a>.

I just set it up and everything worked as expected.

Thanks also to you for trying to help me, Manfred.

Best regards,

/Ángel

Recommend

  • SignalR 2.2 returns 404 Not Found on IIS 8.5
  • How to send a custom object from OnException method?
  • Fiware Cygnus: no data have been persisted in CKAN
  • How can a javax.persistence.Column be defined as an Unsigned TINYINT?
  • Programmatically set PIN/Password used to unlock device
  • Could not find goal '' in plugin org.springframework.boot:spring-boot-maven-plugin:1.1.4.R
  • IBM DevOps Pipeline: How to Access Artifacts from Previous Job?
  • JENKINS: ERROR when I try to use an older JDK for a specific maven project
  • Install ActiveMq in Apache Karaf 4.0.0.M2
  • how tensorflow worker driver training process and cause variables update on ps job?
  • Git and client/server code separation
  • WP7 - read from CSV file? Or what to do with the data?
  • Regarding client side code generation from WSDL
  • Maven use Encrypted passwords in POM
  • maven jboss-as:start A required class was missing … org/sonaty…/ArtifactResolutionException
  • ASPNetCore MVC Routing Let Server Handle Specific Route
  • init_seg and warning C4073 from library code?
  • How do you create a Fuseki SPARQL server using the Apache Jena Java API?
  • Add reference to ASP.NET 5 Class Library from Framework 4.5 Class Library Project
  • How to handle elastic beanstalk deployment so it uploads only changed files
  • npm 5.4.1 install/uninstall all failing
  • Security issues with PHP's Readfile method
  • Problems installing Yesod for Haskell
  • Unable to install Git-core+svn by MacPorts
  • Keep this build forever option - Jenkins
  • onBackPressed() not being executed
  • Installing iPhone App to iPhone
  • VSO Build — Response status code does not indicate success: 404 (Not Found)
  • OpenGL 3.3 on Mac OSX El Capitan with LWJGL
  • Spark fat jar to run multiple versions on YARN
  • ilmerge with a PFX file
  • Launch Runnable Jar from Web Start
  • Running a C# exe file
  • Delete MySQLi record without showing the id in the URL
  • Is there a mandatory requirement to switch app.yaml?
  • Hits per day in Google Big Query
  • FormattedException instead of throw new Exception(string.Format(…)) in .NET
  • Linking SubReports Without LinkChild/LinkMaster
  • XCode 8, some methods disappeared ? ex: layoutAttributesClass() -> AnyClass
  • Programmatically clearing map cache